b'  U.S. DEPARTMENT OF COMMERCE\n            Office of Inspector General\n\n\n\n\n                  U.S. Census Bureau\n\n   Respondent Data Safeguards in the\nDecennial Response Integration System\n                               (DRIS)\n\n\n\n                       Final Report No. OAE-19888\n                                    September 2010\n\n\n\n\n                 Office of Audits and Evaluation\n\x0c                                                        UNITED STATES DEPARTMENT OF COMMERCE\n                                                        Office of Inspector General\n                                                        Washington, D.C. 20230\n\n\n\nSeptember 24,2010\n\nMEMORANDUM FOR:               Rebecca M. Blank\n                              Under Secretary for Economic Affairs\n                              U.S. Department of Commerce\n\n                              Dr. Robert Groves\n                              Director\n                              U.S. Census Bureau       4 tJIf             ~\n\nFROM:                         AllenCraw]ey          v~\n                              Assistant Inspector General for Systems Acquisition\n                                                                                 ~\n                                and IT Security\n\nSUBJE.CT:                     Respondent Data Safeguards in the Decennial Response\n                                 Integration System (DRIS)\n                              Final Report OAE- 19888\n\nAttached please find the final report of our assessment of respondent data safeguards in the\nDecennial Response Integration System (ORIS). This was the first 20 10 Decennial Census\nsystem for which we evaluated information technology (IT) security controls. Our review of\nother systems is ongoing and the results from that work will be included in our FY 20 I 0 FISMA\naudit report and repol1 to OMB. We identified vulnerabilities in DRIS security controls that\nrequired corrections in order to ensure the system adequately safeguarded respondent data.\nHowever, we acknowledge that, even before the corrections, ORIS had security features that\nsignificantly mitigated risk. In addition, we identified a weakness in the system\'s definitions for\nsecure configurations that suggests the need for increased management attention to future\ncontractor systems.\n\nCensus, in its response, indicated that all but one of the vulnerabilities we identified had been\nremediated (its contractor began corrections after we briefed Census and the contractor on our\npreliminary findings), and that ORJS completed data capture and telephone operations with no\nreported security breaches. According to the bureau, it also intends to develop a strategy to\nensure that requirements for secure configurations are more clearly mandated for future\ncontractor systems. In this regard, please submit to us an action plan, or the documented strategy,\nwithin 60 days of the date of this memorandum.\n\nWe appreciate the cooperation and courtesies extended to us by your staff during our\nevaluation. If you have any questions or concerns about this report, please do not hesitate to\ncontact me at (202) 482-1855.\n\x0ccc: \t   Simon Szykman, Chief Information Officer, Department of Commerce\n        Thomas L. Mesenbourg, Jr., Deputy Director and Chief Operating Officer,\n            U.S. Census Bureau\n        Arnold A. Jackson, Associate Director for Decennial Census, U.S. Census Bureau\n        Brian E. McGrath, Associate Director for Information Technology and Chief Information\n           Officer, U.S. Census Bureau\n        Tracy Wessler, DRIS Program Manager, U.S. Census Bureau\n        Timothy P. Ruland, Chief, Information Technology Security Office, U.S. Census Bureau\n        Jean McKenzie, Census audit liaison\n\x0c                             Report In Brief\n                                  U.S. Department of Commerce, Of\xef\xac\x81ce of Inspector General\n                                                       September 2010\n\nWhy We Did This Review U.S. Census Bureau\nAs part of our oversight of the\n2010 Decennial Census, we        Respondent Data Safeguards in the Decennial Response\nevaluated whether required       Integration System (DRIS) (OAE-19888)\ncontrols meant to serve as\nsafeguards over electronic re-\nspondent data in the Decennial What We Found\nResponse Integration System\n(DRIS) were effectively meet-\ning data security requirements. Overall we found vulnerabilities in DRIS security controls that should normally have\n                                 been remediated; however, several factors existed that signi\xef\xac\x81cantly mitigated the risk of\n                                 a security breach: the system was not accessible from the Internet, and user interfaces\n                                 limited access to respondent data. We also identi\xef\xac\x81ed a weakness in the system\xe2\x80\x99s de\xef\xac\x81ni-\nBackground                       tions for secure con\xef\xac\x81gurations that suggests the need for increased management atten-\n                                 tion to future contractor systems. The table below describes these \xef\xac\x81ndings at a glance:\nDRIS is a contractor-oper-\nated system, currently in the\nprocess of being decommis-        Finding                                 Examples\nsioned, that supported the 2010 Vulnerabilities existed in system \xe2\x80\xa2 Malicious code could be introduced\nDecennial Census by convert- components.                                    through removable media (e.g., USB\ning paper-based responses into                                              thumb drives)\nelectronic form and transmit-                                             \xe2\x80\xa2 Default password\nting the data, encrypted, to                                              \xe2\x80\xa2 Database users were granted ex-\nCensus for further processing.                                              cessive access\nIt also provided telephone                                                \xe2\x80\xa2 Lack of logging of security-related\nquestionnaire assistance                                                    events\nthrough interactive voice re-                                             \xe2\x80\xa2 Some network components were\nsponse and call center staff to                                             running prohibited services\nhelp callers complete Census\n                                  Con\xef\xac\x81guration settings were not          Checklists of secure settings for\nforms. Further, it followed up\n                                  adequately de\xef\xac\x81ned and docu-             various technologies were incomplete\non coverage of respondents\n                                  mented. (Department policy re-          or lacked an appropriate benchmark; for\nwho submitted incomplete\n                                  quires this for hardening systems one class of servers, a checklist was not\ninformation; operators then\n                                  against cyber attacks.)                 de\xef\xac\x81ned.\nupdated the response database.\nA separate contractor sampled\nresponse data to indepen-\ndently verify the accuracy of\nthe conversion from scanned\npaper forms to electronic data. What We Recommend\nThese operations have been\ncompleted.\n                                 We recommend that, for future contractor systems, the Census Bureau ensure that\n                                 con\xef\xac\x81guration settings for IT products be de\xef\xac\x81ned, documented, and implemented in ac-\nDRIS was effectively separat-\n                                 cordance with Department policy. We make no recommendation with respect to system\ned from the Internet; users had\n                                 vulnerabilities because the system has concluded operations and is in the process of\nlimited access to respondent\n                                 being decommissioned. Further, Census indicated, in response to our draft report, that\ndata. However, the system had\n                                 its contractor had remediated all but one of the vulnerabilities (the remediation began\nbeen certi\xef\xac\x81ed and accredited\n                                 shortly after our initial \xef\xac\x81eldwork in March 2010.)\nalmost 2 years before it began\noperating, raising the potential\nfor unidenti\xef\xac\x81ed vulnerabilities\nwithout rigorous, continuous\nmonitoring.\n\x0cU.S. Department of Commerce                                                              Final Report OAE-19888 \n\nOffice of Inspector General                                                                      September 2010 \n\n\n\n\nINTRODUCTION\n\nAs part of our oversight of the 2010 Decennial Census and our obligations under the Federal\nInformation Security Management Act of 2002 (FISMA), we evaluated the Decennial Response\nIntegration System\xe2\x80\x99s (DRIS) safeguards for electronic respondent data. Our objective was to\ndetermine whether required controls were effectively meeting security requirements so that\nconfidential respondent data were adequately protected. Our detailed scope and methodology are\nincluded as Appendix I. DRIS operations have now concluded and the system is in the process of\nbeing decommissioned.\n\nDRIS is a contractor-operated 1 system that converted paper-based census questionnaire\nresponses into electronic form and transmitted the data to the Census Bureau for further\nprocessing. DRIS also provided telephone questionnaire assistance in which an interactive voice\nresponse application and call center staff provided assistance to callers in completing census\nforms. The \xe2\x80\x9ctelephony channel\xe2\x80\x9d also included a \xe2\x80\x9ccoverage follow-up\xe2\x80\x9d operation in which call\ncenter operators interviewed respondents who provided incomplete information on census forms;\nthe operators then updated the response database. In addition, DRIS had a \xe2\x80\x9cpaper data quality\xe2\x80\x9d\nfunction, in which a separate contractor independently sampled response data to determine the\naccuracy of the conversion from scanned paper forms to electronic data.\n\nDRIS transmitted encrypted respondent data to the Census Bureau. Key security features\nincluded its architecture and application design, which effectively separated the system from the\nInternet and limited access to respondent data to authorized users who typically received the data\none \xe2\x80\x9ccase\xe2\x80\x9d at a time, through a controlled user interface.\n\nCensus certified and then accredited DRIS in March 2008, nearly 2 years prior to system\noperations, which began in February 2010. This FISMA-required process identifies\nvulnerabilities and leads to management\xe2\x80\x99s acknowledgement and acceptance of the risk of\noperating the system. The early accreditation, before the system was fully deployed, raised the\npotential for unidentified vulnerabilities without a rigorous continuous monitoring program.\n\nUnder 13 U.S.C. \xc2\xa7 9, Census must use confidential information for the statistical purposes for\nwhich it is supplied, must not make any publication that would identify the data furnished by a\nparticular respondent, and must not permit unauthorized persons to examine individual reports.\nIn furtherance of these limitations, authorized persons must have a work-related need to know to\nuse the data. The oath taken by authorized persons to uphold the confidentiality of census\ninformation is a lifetime obligation. Census has an unauthorized-browsing policy that prohibits\nsearching or looking through, for other than work-related purposes, protected information that\ndirectly or indirectly identifies individual persons or businesses. The removal of confidential data\nfrom the bureau in the form of memory sticks, CDs, or other electronic media is also prohibited.\n\n\n\n1\n    The DRIS contractor, Lockheed Martin, previously supported the paper data capture component during the 2000\n    Decennial Census.\n\x0cU.S. Department of Commerce                                                   Final Report OAE-19888 \n\nOffice of Inspector General                                                           September 2010 \n\n\n\n\nSUMMARY\n\nDRIS had security features in place that significantly mitigated risk, yet vulnerabilities remained\nthat required correction to ensure that DRIS adequately safeguarded respondent data. There were\na number of factors\xe2\x80\x94in particular, that the system was not accessible from the Internet and user\ninterfaces limited access to respondent data\xe2\x80\x94that significantly mitigated the risk of a security\nbreach. We identified a weakness in the system\xe2\x80\x99s definitions for secure configurations that\nsuggests the need for increased management attention to future contractor systems. We\ncommunicated to Census officials the security issues identified throughout our review; in many\ninstances, Census and the DRIS contractor said that they addressed these security issues. We did\nnot, however, independently validate their assertions.\n\nThe table below summarizes our findings with recommendations:\n\nFinding                       Examples                               Recommendation\nVulnerabilities existed in    \xe2\x80\xa2 Malicious code can be                (None.) In response to our\nsystem components.               introduced through removable        draft report, Census asserted\n                                 media (e.g., USB thumb drives)      that, with the exception of\n                              \xe2\x80\xa2 Default password not changed         excessive access granted to\n                              \xe2\x80\xa2 Database users granted               database users, these\n                                 excessive access                    vulnerabilities have been\n                              \xe2\x80\xa2 Security-relevant events not         remediated; the system is in\n                                 logged                              the process of being\n                              \xe2\x80\xa2 Some network components              incrementally\n                                 running prohibited services         decommissioned.\nConfiguration settings        \xe2\x80\xa2 Checklists of secure settings for    For future contractor systems,\nwere not adequately              various technologies were           configuration settings for IT\ndefined and documented.          incomplete or lacked an             products should be defined,\n(Department policy               appropriate benchmark; for one      documented, and implemented\nrequires this for                class of servers, a checklist was   in accordance with\nhardening systems                not defined.                        Department policy.\nagainst cyber attacks.)\n\n\n\n\n                                                 2\n\n\x0cU.S. Department of Commerce                                                 Final Report OAE-19888 \n\nOffice of Inspector General                                                         September 2010 \n\n\n\n\nFINDINGS AND RECOMMENDATIONS\n\nVulnerabilities in Key Technologies Needed to Be Addressed to Ensure That Respondent\nData Were Adequately Protected\n\nWhile we identified vulnerabilities in DRIS controls, a number of factors, including its\nseparation from the Internet and users\xe2\x80\x99 limited interface, compensated for those weaknesses and\nreduced the likelihood of a data breach. We have since shared with Census all control assessment\nfindings, and Census and the DRIS contractor have indicated that most of the issues have been\ncorrected. In some instances, however, according to the contractor, the workload at the peak of\nproduction was too great to risk implementing corrections that could have impacted system\nperformance. Based on our understanding of the system and operations, these particular\nremaining vulnerabilities did not pose undue risk.\n\n\nVulnerabilities Existed in System Components\n\nVulnerabilities were evident in DRIS protections against malicious code that can be introduced\nthrough removable media such as USB thumb drives. Windows\xc2\xae-based servers and workstations\nin the system\xe2\x80\x99s telephony channel and the paper data quality segment were not configured to\nprevent removable media devices from automatically executing code stored on the devices. In\naddition, none of the system\xe2\x80\x99s Windows-based components had a Microsoft\xc2\xae-issued patch that\nis required to effectively disable the ability of removable media to automatically execute code.\nWe successfully exploited this flaw in the DRIS laboratory environment, which was also not\npatched, demonstrating the potential for malicious code to be introduced via removable media.\n\nAnother vulnerability existed with database management systems, including one that managed\nthe respondent database: a default password for a highly privileged account was not changed.\nAfter we promptly notified Census of this finding, the bureau informed us that the default\npassword was stored in an unused repository and that database administrators logged in using a\nseparate mechanism and different password. Census therefore believed the finding was a \xe2\x80\x9cfalse\npositive.\xe2\x80\x9d However, Department policy requires default account passwords to be changed; we\nfound that other default account passwords in the same repository had been changed previously.\nChanging default passwords is a fundamental security practice, and the existence of a default\npassword does present the potential for misuse. Census told us that the DRIS contractor has since\nchanged the default password in question.\n\nDatabase users were granted excessive privileges according to both an industry benchmark and\nDRIS\xe2\x80\x99s own checklist. According to Census officials and the DRIS contractor, they planned to\nevaluate the necessity of modifying these settings in the DRIS databases. In response to other\ndatabase issues that we identified, the DRIS contractor did not intend to make modifications\nbecause doing so may have affected the systems\xe2\x80\x99 ability to process millions of transactions daily.\nBased on our understanding of the system and operations, we believe leaving these\nvulnerabilities uncorrected did not pose undue risk.\n\n\n                                                3\n\n\x0cU.S. Department of Commerce                                                         Final Report OAE-19888 \n\nOffice of Inspector General                                                                 September 2010 \n\n\n\nDomain controllers that we sampled, which implemented security policy for much of DRIS,\nwere not auditing events that are identified in the system security plan as significant and relevant\nto system security. According to the DRIS contractor, this was the result of conflicting policies\nbeing applied to the domain controllers; the contractor said, however, that it would work to\nresolve the issue. Likewise, scans revealed that workstations\xe2\x80\x99 audit settings were not in\ncompliance with the Federal Desktop Core Configuration (FDCC). 2 A significant number of\nnoncompliant settings were discovered in components of the paper data quality function (three\nworkstations from our sample of eight components accounted for 56 percent of the\ndiscrepancies).\n\nTwo other vulnerable settings in servers running Windows operating systems had the potential to\nallow an attacker immediate access into a machine or allow highly-privileged access. The DRIS\ncontractor initially said that the settings were necessary for compatibility with legacy\napplications, but later said that the software had since been updated and should no longer be\nincompatible. More recently, the contractor told us that it had successfully tested more secure\nsettings in its lab environment and planned to implement the settings in production.\n\nRouters and switches were running insecure services as defined by an industry benchmark and\nDRIS\xe2\x80\x99s own network design document. We shared our detailed findings with Census and the\nDRIS contractor. In response, the contractor planned to modify the settings to comply with the\nindustry benchmark and update the DRIS network design document.\n\nIn general, firewall configurations were consistent with baseline rules captured in DRIS\xe2\x80\x99s\nconfiguration management system. We shared our detailed findings with Census and the DRIS\ncontractor; where there were discrepancies, the contractor planned to correct the running\nconfigurations or update the baseline as necessary. Of the discrepancies, the most common was\none that would omit logging of unauthorized traffic attempting to pass through a firewall\xe2\x80\x94\nsomething that would have assisted in detecting malicious activity.\n\n\nConfiguration Settings Were Not Adequately Defined and Documented\n\nConfiguration settings of DRIS\xe2\x80\x99s IT products, required to be at the most restrictive mode\nconsistent with operational requirements, were not defined and documented according to\nDepartment policy. DRIS\xe2\x80\x99s checklist for databases addressed only 3 of the 13 sections (74 of the\n277 potential settings\xe2\x80\x9427 percent) of the industry benchmark that the DRIS contractor said was\nthe basis for the checklist. Windows operating system settings were better defined than other IT\nproducts in the system, but ambiguities existed. According to Census, Windows components,\nincluding servers, were configured according to the FDCC. However, documented deviations\nfrom it were not completed; many settings were marked \xe2\x80\x9cnot configured\xe2\x80\x93need more testing.\xe2\x80\x9d\nAnd FDCC is intended for workstations, not servers. For routers and switches, a network design\ndocument addressed a very small subset of benchmark settings (insecure services); in practice,\n\n2\n    Office of Management and Budget, Executive Office of the President, OMB Memorandum No. 08-22, Guidance\n    on the Federal Desktop Core Configuration (FDCC) (2008). The FDCC is an OMB-mandated security\n    configuration for Windows XP and Windows Vista operating systems.\n\n                                                       4\n\n\x0cU.S. Department of Commerce                                                                Final Report OAE-19888 \n\nOffice of Inspector General                                                                        September 2010 \n\n\n\nthe design document was not followed. Likewise, the DRIS contractor\xe2\x80\x99s security configurations\ndocument for servers running a UNIX\xc2\xae-based operating system did not constitute properly-\ndefined settings.\n\nIn general, Commerce policy requires that a secure benchmark (typically from industry) be used\nas a starting point and that deviations from the benchmark then be documented to produce the\nsystem\xe2\x80\x99s tailored checklist of configuration settings for a given IT product. This provides\nassurance that the system has been appropriately hardened and promotes unambiguous\nassessment of component security.\n\nIllustrating the issue, we found a file transfer protocol (FTP 3 ) server, which could have presented\na security risk, running on a UNIX-based server, yet the DRIS contractor told us that it should\nnot have been. However, the contractor\xe2\x80\x99s security configurations document for its UNIX-based\nsystems did not prohibit or otherwise address FTP servers. If it had, this server would have been\nin clear violation of the allowed settings and services, which Department policy requires be\ndefined. Implementing and maintaining secure configuration settings is one of the most effective\nways of negating threats. Adequately defining configuration settings has been an issue we have\nraised in previous Census reviews.\n\n\nRecommendation\n\nWe recommend that Census ensure that, for future contractor systems, configuration settings for\nIT products be defined, documented, and implemented in accordance with Department policy.\n\n\n\n\n3\n    FTP is a communications protocol governing the transfer of files from one computer to another over a network.\n\n                                                           5\n\n\x0cU.S. Department of Commerce                                                Final Report OAE-19888 \n\nOffice of Inspector General                                                        September 2010 \n\n\n\n                 Summary of Census Comments and OIG Response\n\nIn response to our draft report, Census did not dispute our findings and indicated agreement with\nour recommendations, only one of which remains for the final report. The draft report\nrecommended that vulnerabilities that we identified be promptly remediated; the bureau asserted\nthat all but one of the vulnerabilities had been. Census\xe2\x80\x99s response suggests that the remaining\nvulnerability\xe2\x80\x94excessive privileges granted to database users\xe2\x80\x94is no longer a concern because\nthe system is now in the process of being incrementally decommissioned and database users no\nlonger exist. The bureau further stated that the \xe2\x80\x9cDRIS program conducted the 2010 Decennial\nCensus paper data capture and telephone operations with no reported security breaches.\xe2\x80\x9d\n\nWith respect to configuration settings, the bureau explained that these requirements were not\nclearly mandated through contractual terms and that it will develop a strategy to ensure that\nfuture contractor systems will be required to comply. Census also suggested an editorial change,\nwhich we have incorporated into this final report. The full Census response is included as\nAppendix II to this report.\n\n\nOIG Response\n\nWe are pleased that Census and its contractor took steps to remediate the vulnerabilities we\nidentified and agree with the bureau\xe2\x80\x99s position regarding the one remaining vulnerability. We\nlook forward to reviewing Census\xe2\x80\x99s strategy to ensure that future contractor systems adhere to\nrequirements for secure configuration settings.\n\n\n\n\n                                                6\n\n\x0cU.S. Department of Commerce                                                 Final Report OAE-19888 \n\nOffice of Inspector General                                                         September 2010 \n\n\n\n                              APPENDIX I: SCOPE AND METHODOLOGY\n\nDecennial respondent data are the information supplied by individuals on Decennial Census\nforms, whether mailed in or collected by Census employees. We chose to evaluate safeguards for\nelectronic respondent data because two of our top management challenges facing the Department\nare the Decennial Census and IT security.\n\nThis report presents the results of our evaluation of the Decennial Response Integration System\n(DRIS), which was the first system in Census\xe2\x80\x99 decennial workflow to process, store, and transmit\nelectronic decennial respondent data. DRIS included three paper data capture centers, in\nBaltimore, 4 Phoenix, and Jeffersonville, Indiana; a teletech center in Denver and call centers at\nvarious locations; and an operational command center/program management office in Greenbelt,\nMaryland.\n\nWe determined that this system included confidential respondent data based on interviews and\ndocumentation obtained from Census. We then reviewed system documentation and interviewed\nCensus and DRIS contractor employees to determine how respondent data were stored,\nprocessed, distributed, and protected. This information was then used in our third, most crucial\nobjective: determining whether required security controls were effectively meeting the security\nrequirements for the data.\n\nWe assessed a subset of FISMA- and Commerce-required controls from National Institute of\nStandards and Technology (NIST) Special Publication 800-53, Revision 2, Recommended\nSecurity Controls for Federal Information Systems: Access Control Policy and Procedures (AC\xc2\xad\n1), Access Enforcement (AC-3), Information Flow Enforcement (AC-4), Remote Access (AC\xc2\xad\n17), Auditable Events (AU-2), Configuration Settings (CM-6), Media Access (MP-2), and\nTransmission Confidentiality (SC-9). We selected these controls for their relation to Title 13\nconfidentiality requirements and other important aspects of information security. We have been\nrequired to report on the status of configuration settings in our annual FISMA report to the\nOffice of Management and Budget.\n\nWe visited the DRIS operational command center in Greenbelt, Maryland, to collect security-\nrelated data, interview system personnel, and observe system security capabilities. Our\nassessment included extracting, examining, and verifying system configurations; executing\nscripts and manual checklists; vulnerability scanning; examining system logs; analyzing the\nsystem security plan and related policies and procedures; and interviewing both Census and\nDRIS contractor personnel.\n\nWe used the following criteria:\n\n      \xe2\x80\xa2\t Federal Information Security Management Act of 2002 (FISMA), Pub. L. No. 107\xe2\x80\x93347,\n         Title III, \xc2\xa7\xc2\xa7 301-302, 44 U.S.C. \xc2\xa7\xc2\xa7 3541-3549, 40 U.S.C. \xc2\xa7 11331\n\n\n\n4\n    Actually Essex, Maryland, a Baltimore suburb.\n\n                                                    7\n\n\x0cU.S. Department of Commerce                                             Final Report OAE-19888 \n\nOffice of Inspector General                                                     September 2010 \n\n\n\n   \xe2\x80\xa2\t U.S. Department of Commerce, IT Security Program Policy, March 2009 and component\n      Commerce Interim Technical Requirements (CITRs):\n         o\t CITR-001: Federal Desktop Core Configuration (FDCC)\n         o\t CITR-005: Removable Media Devices\n\n   \xe2\x80\xa2\t NIST Federal Information Processing Standards (FIPS):\n         o\t Publication 199, Standards for Security Categorization of Federal Information\n            and Information Systems\n         o\t Publication 200, Minimum Security Requirements for Federal Information and\n            Information Systems\n\n   \xe2\x80\xa2\t NIST Special Publications:\n         o\t 800-53, Revision 2, Recommended Security Controls for Federal Information\n            Systems\n         o\t 800-53A, Guide for Assessing the Security Controls in Federal Information\n            Systems\n         o\t 800-70, Security Configuration Checklists Program for IT Products\n         o\t 800-115, Technical Guide to Information Security Testing and Assessment\n\nWe conducted our evaluation in accordance with the Inspector General Act of 1978, as amended,\nand the Quality Standards for Inspections (revised January 2005), issued by the President\xe2\x80\x99s\nCouncil on Integrity and Efficiency.\n\n\n\n\n                                              8\n\n\x0cU.S. Department of Commerce                                                                    Final Report OAE-19888\nOffice of Inspector General                                                                            September 2010\n\n\n               APPENDIX II: COMMENTS FROM THE U.S. CENSUS BUREAU\n\n                                                               UNITED STATES DEPARTMENT OF COMMERCE\n                                                               The Under Secretary for Economic Affairs\n                                                               Washington. D.C. 20230\n\n\n\n\n      MEMORANDUM FOR:                Allen Crawley\n                                     Assistant Inspector General for Systems Acquisition\n                                      and IT Security\n\n      FROM:\n\n\n      SUBJECT:                       Respondent Data Safeguards in the Decennial Response\n                                     Integration System (DRIS) Draft Report No. OAE-198881August\n                                     2010\n\n\n      Below are the Office of the Inspector General\'s recommendations for the findings identified\n      during the evaluation of the Respondent Data Safeguards in the Decennial Response Integration\n      System (DRIS), Draft Report No. OAE-19888, and the agency responses.\n\n      The DRIS system underwent an iterative design and development process. Although the systems\n      were consciously designed within the NIST risk-based framework, this iterative approach\n      sometimes affected the quality of the documentation. Census appreciates the feedback received\n      in this report, and is pleased that the DRIS program conducted the 2010 Decennial Census paper\n      data capture and telephone operations with no reported security breaches.\n\n\n      Comments\n\n      Re: Introduction, 5th paragraph. We recommend revising the first three sentences as set forth\n      below. The revisions (a) place all three of the confidentiality limitations in the first sentence, (b)\n      distinguish the work-related need to know policy requirement from the statutorily-based\n      confidentiality limitations by placing this requirement the second sentence, and (c) restate the\n      lifetime requirement in the third sentence.\n\n         "Under 13 U.S.C. \xc2\xa7 9, Census must use confidential information for the statistical\n         purposes for which it is supplied, must not make any publication that would identify the\n         data furnished by a particular respondent, and must not permit unauthorized persons to\n         examine individual reports. In furtherance of these limitations, authorized persons must\n         have a work-related need to know to use the data. The oath taken by authorized persons\n         to uphold the confidentiality of census information is a lifetime obligation."\n\n\n      Findings and Recommendations\n\n      1. Vulnerabilities existed in system components.\n                                                                                                       \xe2\x80\xa2 \xe2\x80\xa2\xe2\x80\xa2\xe2\x80\xa2\n                                                                                                     rf7jECONOMICS\n                                                                                                      AND STATISTICS\n                                                                                                     ADMINISTRATION\n\x0cCensus Response: With the exception of the vulnerability of excessive privileges granted to the\ndatabase users, all other identified vulnerabilities have been remediated at this time. ORIS\nprocessing for the 2010 Decennial Census has now been completed, and the system is in the process\nof being incrementally decommissioned. At this time, the said database users no longer exist.\n\n2.   Configuration settings were not adequately defined and documented.\n\nCensus Response: While the Census Bureau has IT security standards, policies, and\nmethodologies in place, the application of such standards, policies, and methodologies was not\nclearly mandated through the contractual terms. Future proprietary systems developed for the\nCensus Bureau will be required to adhere to these standards, policies, and methodologies.\nCensus will develop a strategy to ensure they are implemented, specifically with respect to the\nsecure configuration policy.\n\x0c'